Nginx負載均衡 ssl原理 生成ssl密鑰對 Nginx配置ssl
阿新 • • 發佈:2018-06-13
nginx負載均衡一、Nginx負載均衡
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/2426bcef5e232354120f95385fe9e988.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#dig //dig命令其實就是解析
bash: dig: command not found
#yum install -y bind-utils
#dig qq.com //解析qq.com,可以看到qq.com解析到了3個IP上,可以使用這3個IP去做負載均衡
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/f8fc736834445834b71c73639acb2ebb.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf/vhost/
#vi ld.conf
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/71c25e0d6f4411ee9381547b7616d175.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#/usr/local/nginx/sbin/nginx -t
#/usr/local/nginx/sbin/nginx -s reload
#curl -x127.0.0.1:80 www.qq.com //訪問qq.com會返回qq.com主頁的網頁源碼,這就是負載均衡
知識點:Nginx不支持代理https,如果有一臺web服務器是通過https訪問的,它只支持通過80端口訪問,不支持訪問它的443端口
二、ssl原理
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/ddab4fb3031671624591ff2c82e46765.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
crt private是私鑰,用來進行解密的;crt public是公鑰,用來進行加密的
三、生成ssl密鑰對
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/207ab018999b51df1171fa2acfc84304.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf
#rpm -qf
#openssl genrsa -des3 -out tmp.key 2048 //生成rsa格式的私鑰,長度2048
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/8c00f0df2d1946e4b54b43d49b073b44.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#openssl rsa -in tmp.key -out aminglinux.key //-in指定哪一個密鑰要被轉換,-out指定輸出的,tmp.key和aminglinux.key其實是密鑰,tmp.key是有密碼的,aminglinux是沒有密碼的
#rm -f tmp.key //這時候可以刪除有密碼的tmp.key這個密鑰了
#openssl req -new -key aminglinux.key -out aminglinux.csr //生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/14b4ee945af5039c740ecda65299297f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
上圖的這些內容可以自定義
#openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
//-days 365表示證書日期是一年
Signature oksubject=/C=11/ST=BeiJing/L=BeiJing/O=aming/OU=aming/CN=aminglinux/[email protected]
br/>subject=/C=11/ST=BeiJing/L=BeiJing/O=aming/OU=aming/CN=aminglinux/[email protected]
#ls aminglinux. //使用tab鍵
aminglinux.crt aminglinux.csr aminglinux.key //這裏的.crt為公鑰,.key為私鑰
四、Nginx配置ssl
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/c7df1d5e21ed238fff38153a87cc6251.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf/vhost/
#mkdir /data/wwwroot/aming.com //創建一個aming.com文件夾,在下面配置文件的root中使用
#vim ssl.conf //生成新的配置文件ssl.conf文件
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/ff6506fc073ff992fd1c3b09dc4c9aea.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#/usr/local/nginx/sbin/nginx -t //報錯,不能識別ssl,需要重新編譯nginx
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#cd /usr/local/src/nginx-1.14.0/
#/usr/local/nginx/sbin/nginx -V //查看支持哪些
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
#./configure --help |grep -i ssl //查看需要增加ssl的哪個配置,需要增加--with-http_ssl_module
-with-http_ssl_module enable ngx_http_ssl_module
-with-mail_ssl_module enable ngx_mail_ssl_module
-with-stream_ssl_module enable ngx_stream_ssl_module
-with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
-with-openssl=DIR set path to OpenSSL library sources
-with-openssl-opt=OPTIONS set additional build options for OpenSSL
#./configure --prefix=/usr/local/nginx --with-http_ssl_module
#make
#make install
#/usr/local/nginx/sbin/nginx -V //再次查看,多了--with-http_ssl_module
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
#/usr/local/nginx/sbin/nginx -t //檢查語法
#/etc/init.d/nginx restart //重啟nginx
#cd /data/wwwroot/aming.com/
#vim index.html //創建測試文件
This is ssl.
#vi /etc/hosts
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/2ceb45398bd53b5affb0f812fbaa3ef4.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#curl https://aming.com/ //提示證書不安全,原因是我們自己生成的
如果需要購買證書,可以到沃通官網:https://www.wosign.com/去購買
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/2426bcef5e232354120f95385fe9e988.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#dig //dig命令其實就是解析
bash: dig: command not found
#yum install -y bind-utils
#dig qq.com //解析qq.com,可以看到qq.com解析到了3個IP上,可以使用這3個IP去做負載均衡
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/f8fc736834445834b71c73639acb2ebb.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf/vhost/
#vi ld.conf
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/71c25e0d6f4411ee9381547b7616d175.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#/usr/local/nginx/sbin/nginx -t
#/usr/local/nginx/sbin/nginx -s reload
#curl -x127.0.0.1:80 www.qq.com //訪問qq.com會返回qq.com主頁的網頁源碼,這就是負載均衡
二、ssl原理
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/ddab4fb3031671624591ff2c82e46765.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
crt private是私鑰,用來進行解密的;crt public是公鑰,用來進行加密的
三、生成ssl密鑰對
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/207ab018999b51df1171fa2acfc84304.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf
#rpm -qf
which openssl
//查看某個命令需要安裝哪個包,這裏需要先安裝openssl這個命令#openssl genrsa -des3 -out tmp.key 2048 //生成rsa格式的私鑰,長度2048
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/8c00f0df2d1946e4b54b43d49b073b44.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#openssl rsa -in tmp.key -out aminglinux.key //-in指定哪一個密鑰要被轉換,-out指定輸出的,tmp.key和aminglinux.key其實是密鑰,tmp.key是有密碼的,aminglinux是沒有密碼的
#openssl req -new -key aminglinux.key -out aminglinux.csr //生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/14b4ee945af5039c740ecda65299297f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
上圖的這些內容可以自定義
#openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
//-days 365表示證書日期是一年
Signature oksubject=/C=11/ST=BeiJing/L=BeiJing/O=aming/OU=aming/CN=aminglinux/[email protected]
#ls aminglinux. //使用tab鍵
aminglinux.crt aminglinux.csr aminglinux.key //這裏的.crt為公鑰,.key為私鑰
四、Nginx配置ssl
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/c7df1d5e21ed238fff38153a87cc6251.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#cd /usr/local/nginx/conf/vhost/
#mkdir /data/wwwroot/aming.com //創建一個aming.com文件夾,在下面配置文件的root中使用
#vim ssl.conf //生成新的配置文件ssl.conf文件
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/ff6506fc073ff992fd1c3b09dc4c9aea.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#/usr/local/nginx/sbin/nginx -t //報錯,不能識別ssl,需要重新編譯nginx
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#cd /usr/local/src/nginx-1.14.0/
#/usr/local/nginx/sbin/nginx -V //查看支持哪些
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
#./configure --help |grep -i ssl //查看需要增加ssl的哪個配置,需要增加--with-http_ssl_module
-with-http_ssl_module enable ngx_http_ssl_module
-with-mail_ssl_module enable ngx_mail_ssl_module
-with-stream_ssl_module enable ngx_stream_ssl_module
-with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
-with-openssl=DIR set path to OpenSSL library sources
-with-openssl-opt=OPTIONS set additional build options for OpenSSL
#./configure --prefix=/usr/local/nginx --with-http_ssl_module
#make
#make install
#/usr/local/nginx/sbin/nginx -V //再次查看,多了--with-http_ssl_module
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
#/usr/local/nginx/sbin/nginx -t //檢查語法
#/etc/init.d/nginx restart //重啟nginx
#cd /data/wwwroot/aming.com/
#vim index.html //創建測試文件
This is ssl.
#vi /etc/hosts
![技術分享圖片](http://i2.51cto.com/images/blog/201806/13/2ceb45398bd53b5affb0f812fbaa3ef4.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
#curl https://aming.com/ //提示證書不安全,原因是我們自己生成的
如果需要購買證書,可以到沃通官網:https://www.wosign.com/去購買
Nginx負載均衡 ssl原理 生成ssl密鑰對 Nginx配置ssl